Enter to open, tab to navigate, enter to select
ePHI on the Internet Results in $2.14 Million HIPAA Settlement
Practical Law Legal Update w-004-0126 (Approx. 4 pages)
ePHI on the Internet Results in $2.14 Million HIPAA Settlement
by Practical Law Employee Benefits & Executive Compensation
| Published on 18 Oct 2016 • USA (National/Federal) |
The Department of Health and Human Services (HHS) has announced a settlement of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving a religious-affiliated health care system. The health care system will pay $2.14 million to settle the potential HIPAA violations and must satisfy numerous requirements under the related corrective action plan.
HHS has announced a $2.14 million agreement with a nonprofit, religious-affiliated health care system to settle potential HIPAA violations involving, among other issues, the disclosure of electronic protected health information (ePHI) (see HIPAA Privacy, Security, and Breach Notification Toolkit and the related press release). The health care system, a HIPAA covered entity:
- Consists of acute care hospitals, home health agencies, hospice care, skilled nursing, and other services.
- Includes 24,000 employees, 6,000 doctors, 137,000 inpatients and 3.6 million outpatients per year.
The disclosed ePHI included demographic, clinical and health insurance information, patient names, addresses, credit card numbers and expiration dates, and individuals' dates of birth.
Scope of HIPAA Compliance Failures
In February 2012, the health care system reported to HHS that files containing ePHI became publicly accessible on the internet, for just over a year, through Google and possibly other internet search engines (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans). The public access resulted because a network server purchased by the health care system for storing the files (in PDF format) included default settings that made the files accessible to anyone with an internet connection. Following purchase of the server, the covered entity did not change these default settings. The files contained combinations of information that included patient:
- Names, body mass index (BMI), and blood pressure information.
- Lab results, smoking status, and diagnoses lists.
- Medication allergies and advance directive status.
- Demographic information (including language, ethnicity, race, sex, and birth date information).
The breach did not include the patients' social security numbers or other financial data. The application that housed the files was shut down in February 2012, at which time external access to the ePHI also was blocked.
In the resulting investigation of the health care system, HHS determined that the following conduct occurred:
- The year-long, impermissible disclosure of ePHI belonging to 31,800 individuals (from five of the health care system's hospitals).
- The health care system's failure, for more than six years, to satisfactorily conduct an accurate and thorough analysis of the potential risks and vulnerabilities to its ePHI.
In addition, the health care system's use of the application to which the files were uploaded, and the related server configuration, caused an "environmental or operational change" that impacted the ePHI's security. According to HHS, this triggered the health care system's obligation under the HIPAA Security Rule to perform a technical and nontechnical evaluation (see Practice Note, HIPAA Security Rule). For over two years, the health care system failed to perform this evaluation, which compromised the ePHI's security.
Corrective Action Plan
In addition to the $2,140,500 payment, the health care system must adhere to a corrective action plan (CAP) that includes:
- Performing a comprehensive, enterprise-wide risk analysis of security risks and vulnerabilities covering all electronic equipment, data systems, and applications that contain, store, transmit, or receive ePHI.
- Developing a complete inventory of the covered entity's electronic equipment, data systems, and applications that contain or store ePHI.
- Creating and adopting an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
- Providing its policies and procedures governing the use and disclosure of PHI to HHS for review, revising the policies and procedures in response to HHS's comments, and continuing this process until HHS approves the policies and procedures (at which point the covered entity must officially adopt them).
- Forwarding to the government its proposed training materials on its policies and procedures, as revised to reflect HHS's comments, and providing training to workforce members (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials), and annual retraining for the CAP's duration.
Practical Impact
In recent public comments, HHS has identified the failure by HIPAA covered entities to conduct adequate risk analyses as a recurring compliance concern in its enforcement actions. In this case, HHS indicated that although the health care system hired various contractors to assess risks to its ePHI's confidentiality, integrity, and availability, that work was performed in a patchwork fashion and was not an enterprise-wide risk analysis. According to the HHS press release announcing this settlement, an enterprise-wide risk analysis is a requirement under the HIPAA Security Rule, and the lack of sufficiently thorough risk analyses has been a theme in other recent settlement agreements (see Legal Update, Despite Six Risk Analyses, University Must Pay $2.7 Million in HIPAA Settlement).
Regarding other recent resolution agreements in the HIPAA compliance space, see Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations.